i try to validate my login page..
all special characters are not accepted but when
i input a backslash ( \ ), an error message appears..
error in executing query..
please help how to validate it...
tnx
venus_me11
0
Newbie Poster
Recommended Answers
Jump to Postmysql_real_escape_string() will escape data for database entry.
But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.
All 4 Replies
Will Gresham
81
Master Poster
mysql_real_escape_string() will escape data for database entry.
But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.
venus_me11
0
Newbie Poster
mysql_real_escape_string() will escape data for database entry.
But you don't tell us what you are doing already, show code examples or really give us any idea of what you have done so far, but I assume this will work.
i try to code mysql_real_escape_string() but I'm having an error.. I dont know where to put the function youre trying to say.
here's the code for your reference
<?php
$errorList = array(); //holds the errors encountered
if (isset($_POST['submitted'])) { // Check if the form has been submitted.
require_once ('database.php'); // Connect to the database.
$database = new database();
// Validate the email address.
if (!empty($_POST['username'])) {
$u = ($_POST['username']);
} else {
$errorList[] = '<b>You forgot to enter your username!</b>';
$u = FALSE;
}
// Validate the password.
if (!empty($_POST['password'])) {
$p = ($_POST['password']);
} else {
$p = FALSE;
$errorList[] = '<b>You forgot to enter your password!<b>';
}
if ($u && $p) { // If everything's OK.
$database->Connect();
// Query the database.
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";
$result = $database->executeQuery ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
if (@mysql_num_rows($result) == 1) { // A match was made.
$row = mysql_fetch_array ($result);
$database->Disconnect();
session_start();
$_SESSION['AccountType'] = $row['userdesc'];
$_SESSION['UserName']= $row['username'];
$_SESSION['UsersID']= $row['userid'];
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
if ($row['userdesc']== "penafrancia")
$url .= '/admin.php';
header("Location: $url");
exit(); // Quit the script.
} else { // No match was made.
$errorList[] = '<b>The username and password entered is invalid<b>';
}
}
mysql_close(); // Close the database connection.
} // End of SUBMIT conditional.
?>
tomatocms
0
Newbie Poster
Change your query string from
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='$u' AND Password='$p') and DelCategory='0'";to:
$query = "SELECT userid, username, password, userdesc FROM login WHERE (UserName='".addslashes($u)."' AND Password='".addslashes($u)."') and DelCategory='0'";Here I added slashes for parameters before executing query to avoid the SQL injections and make the $query be valid query.
Manuz
2
Junior Poster
Use mysql_real_escape_string() for the variable holding the query, before executing the query.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.